Search This Blog

Microsoft Bug Fix from Google

Description

Google will publicly disclosing software flaws whether or
not that vendor has fixed the bug. The objective of its “Project Zero” is
to significantly reduce the number of targeted attacks. For this reason Google
is hiring additional security researchers to improve security across the
Internet. The purpose of this effort is to create a quick response capability to reduce "zero-day" vulnerabilities.

The
first result of “Project Zero” is a batch of Microsoft patches for 2015 that
fix vulnerability in Windows 8.1, discovered only two days ago. Microsoft responded
with a blog post complaining that this leaves Microsoft users in the without
adequate defenses.

Executive Guidance

Executives should welcome a third party checking of
security, particularly since bug fixes may currently be taking a very long
time, sometimes months before a correction is announced by a vendor and then
weeks before a bug fix is implemented (if ever).

For instance, Microsoft’s MS15-002 is a “critical” flaw that
makes it possible for an attacker to perform remote code execution. Microsoft’s
January 13, 2015 also includes seven additional vulnerabilities classified as
“important”.

Summary

“Project Zero” should be seen as start of a new era in
security management of systems. Only major vendors will have the staff to
accelerate the identification of software flaws from months to days. Security
interception is speeding up. Firms will need to start choosing support of cloud
computing from firms that can demonstrate such capabilities.